Hacking Public Warning System in LTE 
Mobile Network 


Li, Weiguang 


weelight.li(9 gmail.com 


UnicornTeam (8 360 Technology 


Agenda 


01 About Public Warning System in LTE Network 
02 The Vulnerability in LTE Protocol 
03 Trigger the Vulnerability 
a. Build a Fake LTE Base Station 
b. Forge the Fake Warning Messages > a 


04 Conclusion 


About Public Warning System 


in LTE Network 
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PWS Warning System All Over the World 


Press Release 


* Hawaiian Missile Alert in January 2018 


A EMERGENCY ALERTS 


Emergency Alert 
BALLISTIC MISSILE THREAT INBOUND TO 
HAWAII. SEEK IMMEDIATE SHELTER. THIS 
IS NOT A DRILL. 


Settings 


Press Release 


* Hawaiian Missile Alert in January 2018 
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Emergency Alert 

BALLISTIC MISSILE THREAT INBOUND TO 
HAWAII. SEEK IMMEDIATE SHELTER. THIS IS 
NOT A DRILL. 


The Vulnerability in LTE Protocol 
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Vulnerabilities in LTE Protocol 
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1. The warning messages over the air are not encrypted or 
intergity protected. 


2. UE doesn’t authenticate the base station during reselection - V 


Trigger the vulnerability 


How to Build a Fake LTE Network 


Hardware 
USRP B210 
ThinkPad 


Software 
srsL TE /srsENB 


How to get these parameters 


Band: 3 LAC: 4154 


|| ES: 0E4D0108 1 eg 2 
all PCI: 438 al RNC 


TAC: 4154 PSC: 462 


LTE: -88.0 dBm GSM: -53.0 dBm 


Tower: N/A 


etwork: 39.981588 48404400 
GPS: 39.990 i 96° 


# Satellites: O ( 
3780+m 


Location (Estimate 


DL EARFCN: 1650 
UL EARFCN: 19650 
DL Freq: 1850.0 MHz 
UL Freq: 1755.0 MHz 


EARFCN (LTE band 3) 


Type RSRP RSRQ PCI 
LTE -88 -10 438 
LTE -104 -20 250 
Type RSSI PSC 
W-CDMA -53 462 
W-CDMA -63 333 


LTE Discovery App 


Act like aNormal Base Station 


Configuration in srsENB 


phy_cell_id 
0x103a 


460 
01 
| addr = 127.0.1.108 
gtp bind addr - 127.0.0.1 
n_prb = 50 
#tm = 4 


srsLTE config file 


SIB Type 1 


SIB scheduling information 


SIB Type 4 
Cell re-selection information 
intra-frequency neighbor 
information 


SIB Type 7 


Cell re-selection information 
for GERAN 


SIB Type 2 
Common and shared channel 
information 


SIB Type 5 
Cell re-selection information 
Intra-frequency neighbor 
information 


SIB Type 8 


Cell-re-selection information 
for CDMA2000 


PWS Message's Carrier—System Information Block 


SIB Type 3 


Cell re-selection information 


SIB Type 6 


Cell re-selection information 
for UTRA 


SIB Type 9 


Home eNB identifier 


Forge the ETWS Message 


Four main components getting involved in sending ETWS 


* SIB 10 : Primary Notification 

* SIB 11 : Secondary Notification 

* Paging : ETWS indication 

* SIB 1: Schedule SIB 10 and SIB 11 


ETWS Primary Notification 


* ETWS Primary Notification message can not contain 
specific message content. 


SysteminformationBlockType10 information element 


-- ASNISTART 
SystemInformationBlockTypel0 ::= SEQUENCE { 
messageldentifier BIT STRING (SIZE (16)), 
serialNumber BIT STRING (SIZE (16)), 
warningType OCTET STRING (SIZE (2)), 
dummy OCTET STRING (SIZE (50)) OPTIONAL, -- Need OP 
Baar 
lateNonCriticalExtension OCTET STRING OPTIONAL 
} 
-- ASN1STOP 


main source code to send ETWS primary notification 
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Fake Earthquake Warning Demo 


ETWS Secondary Notification 


Custom content 


ETWS secondary notification supports message 
segmentation. 


It supports GSM-7 and UCS-2 character encoding 
standard. 


ETWS Secondary Notification 


SysteminformationBlockType11 information element 


-- ASN1START 
SystemInformationBlockTypell ::- SEQUENCE { 
messageldentifier BIT STRING (SIZE (16)), 
serialNumber BIT STRING (SIZE (16)), 
warningMessageSegmentType ENUMERATED {notLastSegment, lastSegment}, 
warningMessageSegmentNumber INTEGER (0..63), 
warningMessageSegment OCTET STRING, 
dataCodingScheme OCTET STRING (SIZE (1)) OPTIONAL, -- Cond 51 
er 
lateNonCriticalExtension OCTET STRING OPTIONAL 
) 
-- ASN1STOP 


Source code to send ETWS secondary notification 


*sib11 ptr = *) (sizeof(LIBLTE_RRC_SYS INFO BLOCK_TYPE_STRUCT)); 
1 ptr-»sib type = LIBLTE RRC SYS INFO BLOCK TYPE 11; 
sib11; 
1.message identifier = 0x1102; 
serial number - 0x3000 4 ( () % 11); 
l.segment size = 84; 


1.data_coding scheme = 0x48; 


1.warning message segment type = IS LAST SEGMENT; 
l.warning message segment number = 9; 


(1, 0x00, 0x68, 0x00 , 0x74 , 0x00 ,0x74 , Ox00, 0x70, OxO0 , 0x73 , x00 , Ox3A, 00א0,‎ , OX2F 00א0,‎ , Ox2F 00א0,‎ , 0x62 , OXOO , x61 00א0,‎ , Ox69 , OxOO , Ox64, 
ib11.warning message segment, "ning ne 
1 ptr-»sib, 851011, si IBLTE RRC SYS INFO BLOCK TYPE UNION)) 
E ( LIBLTE RRC SYS INFO BLOCK TYPE STRUCT )); 


Not Just Warning Message 


* Set Message Identifier to 0x1104 instead of 0x1102 
* No loud alarm sound, just mild bells 


* Warning messages can be disguised as spam messages which 
may contain advertisements, phishing site or fraud messages. 


1102 ETWS CBS Message Identifier for earthquake and tsunami 
combined warning message. 

1104 ETWS CBS Message Identifier for messages related to other 
emergency types. 


Google Pixel's Response 


(a) Earthquake warning message in English (b) Earthquake warning message in Chinese 


(c) Spam message contains phishing site (d) Spam message contains fraud phone number 


1 Earthquake and 
H tsunami warning 


Magnitude /.2 earthquake 


Affected cities: Beijing, Tianjin, 


and Qinhuangdao 
1 mile from 798 Art Zone, 
Beijing * Nov 5, 3:19 PM 


Earthquake and 
tsunami warning 


bu. 


7982, 


2018-11-07, 21:49:39 


OK 


BE: 东经 E116.48， 
HE: 北纬 N39.98， 发 震 时 刻 : 


Emergency warning 


你 的 手机 号 涉嫌 违法 已 

被 公安 局 控制 ， 请 打开 
http:/Wt.cn/EwQOJNk 链 接 接 申 
请 解 封 . 
Your mobile phone number is 
suspected of being illegal and 
has been blocked by the Public 
Security Bureau. Please open 
the http://t.cn/EwQOJNk link to 
apply for unblocking 


OK 


Emergency warning 


你 的 手机 号 涉嫌 违法 已 被 公安 局 
控制 ， 请 拨打 8575110 电 话 按 流 
程 申 请 解 封 . 

Your mobile phone number 

is suspected of being illegal 
and has been blocked by the 
Public Security Bureau. Please 
cal 8575110 tdlapply for 
unblocking according to the 
process 


Phishing Warning Message Demo 


iPhone's Response 


UN EMERGENCY ALERTS 


Emergency Alert 


Magnitude 72 earthquake € As the PWS is not a mandatory specification to all 
countries, different models of mobile phones may 

react differently. 

€ The iPhone that we test doesn't respond to the 
Primary ETWS Warning message, but it can 
respond to the Secondary ETWS Warning 
message. 

€ TheiPhone that we test only respond to the test 
PLMN(MCC: 001 MNC: 01) 


iPhone's Response 


iPhone's Response 


Conclusion 


Risk & Mitigation 


Potential Risk 


"WARNING: Magnitude 10 Earthquake Is Coming in One Minute" 


What will happen? 
It may cause serious population panic 


Mitigation 


* Verification of authenticity of the false base station 


* Add authentication procedure after cell selection 


e Add signature to the broadcast system information 


Mitigation 


Network signs the PWS messages 


System Info K-SIG Time Counter 
Security Algorithm 
Y T 
LSBs of Time Digital 
Count System Infe Signature 
E Protected System Info - 


Q/A 
Thank You 


